Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS 导致客户端 RCE 2 #3444

Closed
Echocipher opened this issue Nov 18, 2021 · 3 comments
Closed

XSS 导致客户端 RCE 2 #3444

Echocipher opened this issue Nov 18, 2021 · 3 comments
Assignees
@88250 @Vanessa219
Labels
Bug
Milestone
1.5.4

Comments

@Echocipher
Copy link

描述问题 Describe the problem

漏洞产生原因详情请见XSS导致客户端RCE,仅通过黑名单的方式进行过滤是无法保证安全性的,更换Payload如下

![a]("<img src=xss onerror=alert(1)>)

image

之后还可以进行命令执行

image

版本环境 Version environment

  • Version: v1.5.3
  • Operating system: Windows/Mac
  • Browser (if used): all
@88250 88250 self-assigned this Nov 18, 2021
@88250 88250 added the Bug label Nov 18, 2021
@88250 88250 added this to the 1.5.4 milestone Nov 18, 2021
@88250
Copy link
Member

88250 commented Nov 18, 2021

仅通过黑名单的方式进行过滤是无法保证安全性的

大佬有什么建议吗?

@Echocipher
Copy link
Author

仅通过黑名单的方式进行过滤是无法保证安全性的

大佬有什么建议吗?

XSS主要是对输入进行处理,可以参考一些类似于DOMPurify的框架,命令执行的问题可以升级electron或者配置一下electron的nodeIntegration

@88250
Copy link
Member

88250 commented Nov 20, 2021

仅通过黑名单的方式进行过滤是无法保证安全性的

大佬有什么建议吗?

XSS主要是对输入进行处理,可以参考一些类似于DOMPurify的框架,命令执行的问题可以升级electron或者配置一下electron的nodeIntegration

感谢指导啊,我们继续改进一下对 HTML 属性的过滤处理,实现代码见 https://github.com/88250/lute/blob/master/render/sanitizer.go

88250 added a commit to 88250/lute that referenced this issue Nov 20, 2021
@88250
🐛 Protyle XSS 导致客户端 RCE 2 siyuan-note/siyuan#3444
5fc26dd
@88250 88250 closed this as completed Nov 20, 2021
@Chenrt-ggx Chenrt-ggx mentioned this issue May 25, 2023
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@88250 88250

@Vanessa219 Vanessa219

Labels
Bug
Projects
None yet
Milestone
1.5.4
Development

No branches or pull requests
3 participants
@88250 @Vanessa219 @Echocipher